Athenahealth

Security checks across malware telemetry and agentic risk

Overview

This Athenahealth skill appears purpose-aligned, but it can route sensitive healthcare records through a broad Membrane API proxy without enough built-in safeguards.

Install only if your organization is comfortable using Membrane for Athenahealth access. Treat all patient, appointment, observation, and claims data as PHI; use prebuilt actions where possible, limit queries to the minimum needed, avoid raw proxy writes unless explicitly confirmed, and verify Membrane's compliance, retention, and audit controls before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 93% confidence
Finding: The skill explicitly encourages direct proxy access to Athenahealth APIs without any safety guidance about PHI/PII handling, minimum necessary access, confirmation for write operations, or audit/logging hygiene. In a healthcare context, this increases the likelihood that an agent will retrieve, transmit, or modify sensitive medical data in an unsafe or overbroad manner, potentially leading to privacy violations or unauthorized actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal